How do you handle getting computers from remote locations? Do you have a local contact do the image there at the location, or do you fly out? Do you have them ship it to you? If so, how do you handle chain of custody?
Thanks!
J,
For remote collections, here are my considerations
1) First I look at what type of issues are involved in the case? If the case involves just a general commercial dispute wherein a request to perform forensic analysis would be extremely unusual, then a logical image collection should be acceptable to the requesting party.
I always explain to counsel the fact that performing a logical collection versus a physical collection will preclude forensic analysis in the event my attorney client prefers to put into place an agreed order or stipulation with the requesting party upfront before any collection occurs.
This gives the requesting party the chance to object to a logical collection before this critical path decision is made (logical image or physical image). Deciding whether to perform a logical or physical collection is a decision that the only attorneys on the case must make, so it is the forensic professional's responsibility to (1) explain the differences upfront and (2) allow the attorneys to decide accordingly which way to go.
One of the most important aspects of my own capabilities is that I am 100% independent, certified in the tools I use, and have provided live testimony in Federal court.
Remind the attorneys that whomever performs the collection could become a witness in the case and hopefully this will spur a healthy discussion about whether or not "saving money" by having a litigant perform self collection is advisable given the underlying case issues.
2) Technical considerations
A. Do the remote workstations to be collected allow USB devices to be connected to a live system? If one intends to ship an external USB drive with FTK Imager on that external drive to perform a logical collection, USB devices need to be allowed.
B. Are the remote workstation drive content encrypted at the hard drive level and in what manner? If yes, then performing a physical image may not work without other steps taking place prior to imaging.
C. Are the workstations to be collected running virtualized desktops? If so, the local workstation drive may contain no user generated content and the actual user content may be stored in a virtualized desktop on a corporate server.
D. What sort of security protocols are in place that might prevent an application such as FTK Imager from running from an external USB collection hard drive?
3) Practical methods
A. Go to osdisc.com and order a DEFT Live USB thumb-drive ($15.00), a DEFT DVD ($5.00) and a CAINE DVD ($5.00), ship them to the remote location and guide and supervise the remotely located custodian on using one of these tools to create a physical image to a fresh external USB drive which can be shipped back to you.
For added security, use one of Apricorn's physical keypad encryption external USB drives.
B. Ship an external USB drive with a pre-loaded copy of FTK Imager to the custodian. Boot up a web meeting, have the remote custodian give you control of their computer and then use FTK Imager to perform a logical collection of targeted folders.
FTK Imager's "custom content" option can be a great option as one can password protect the resulting .AD* images.
C. For capturing remote Linux system data, try DCFLDD.
D. For capturing remote Mac OSX systems, download and burn Sumuri's Paladin Linux DVD, which works best with Mac computers from my own personal experience.
4) Chain of custody documentation
I have a great template COC document I can share with you if you send me a PM.
During the collection process, if you are guiding the custodian through a remote collection, work with them to capture the Make, model and serial numbers of the workstation and the internal hard drive(s). Also capture any corporate "asset tag" numbers if they exist. This information should be entered into the COC document.
If the remotely collected data is being shipped back to you via FedEx or UPS, have the person shipping the evidence enter the FedEx/UPS tracking number on the COC form.
Hope this helps.
Larry
How do you handle getting computers from remote locations? Do you have a local contact do the image there at the location, or do you fly out? Do you have them ship it to you?
It really depends on the location, nature of the work, and the capabilities of the locally-available staff.
If so, how do you handle chain of custody?
In many cases, clients that I've worked with already have a chain of custody form, so we use theirs. In some cases, I've had the images arrive before we were even notified and provided a CoC form. 😉
A lot of the work that I do don't require a CoC form.
Larry/Harlan,
Thank you for the awesome responses! Here are a few questions that I have
"B. Ship an external USB drive with a pre-loaded copy of FTK Imager to the custodian. Boot up a web meeting, have the remote custodian give you control of their computer and then use FTK Imager to perform a logical collection of targeted folders."
This is exactly what I did. I had a local contact pick some drives up and take them to the location. After connecting them, I uploaded Encase Forensic Imager to the remote drive and I did a full acquisition per request.
The local contact shipped it back to me, but we didn't complete a CoC for this. There are reasons that I feel we shouldn't need to (like we didn't collect the computers even though a physical acquisition was done because they were still in use), but is it too late for me to email it to them, have them fill their part out, and then have them scan and email it back to me?
I know that most of you guys are with LE or one in a previous life, but I'm still struggling to see how a CoC helps in a corporate environment. We don't have a "checkout" station per se meaning that once I receive the equipment from someone, I can have them sign a CoC, but I'm the last person that has it to do the acquisition and analysis. When I hand the equipment back to the original person that gave it to me, I'm also handing them the CoC. I'm now trusting them to also follow suit in that if they hand it off to someone, they'll have it properly filled out - but that won't happen most times.
How do the courts in civil suits view CoC? I read an interesting article today that made it sound like CoC in e-discovery cases can also be considered the report that describes how you acquired the image, who had access to the image, etc. Is that the case (no pun intended)? Also, I would assume it would be the same in corporate incident response in that if the documented actions are considered your CoC, maybe they do the same for e-discovery?
So, here's another question (I have a lot of unknowns for the documentation piece)
If I'm handing over a portable drive that has an image on it, do I have the person that I'm handing it to sign a CoC for that since it's not best evidence? I've read two schools of thought in that a third-party, be it opposing counsel or LE, may take your form and use it for documentation that you had a CoC, and/or they won't sign it because you're not handing over real equipment but only an image. Any thoughts on that?
And if CoC is important to be with images, equipment, etc., what happens if I'm trusting the person at the location to complete one, and they simply forget to do it? Can you go back and fill one out, or do you simply forget it? I would think you could go back and fill it out with the date and approximate handoff time, but I'm not sure if that comes out in court or if that would be challenged.
Thank you very much for your responses!!
J,
Please see my responses below
1Q "The local contact shipped it back to me, but we didn't complete a CoC for this. There are reasons that I feel we shouldn't need to (like we didn't collect the computers even though a physical acquisition was done because they were still in use), but is it too late for me to email it to them, have them fill their part out, and then have them scan and email it back to me?"
2Q My understanding of the "chain of custody" basic concept is "control", meaning a written detailed record of who had control over evidence at any given time.
For example, when I use FTK Imager or my Tableau TD2's to create forensic images, I always type out the make, model and serial numbers of the computers and internal hard drives being imaged. This way the resulting FTK Imager log and Tableau log have a record of the exact evidence I imaged, the date of the imaging and verification hash value results.
** I would look at the type and nature of case you worked on for guidance, and I am going to assume you work in civil litigation and not criminal litigation, but the fact that there is not a written chain of custody document that accompanied the resulting forensic image files on the external USB hard drive shipped back to you should not affect your case.
In other words, let's say your opponent theorizes that someone at FedEx took out the forensic image files, restored the image to a new hard drive, made changes to key evidence, and then created a new forensic image that was then shipped to you, is theoretically *possible* but incredibly unlikely. A COC document would just show that the evidence was shipped to you via FedEx tracking number ######.
It is better to have a chain of custody document that follows around the original evidence and/or forensic image file copies, but the lack of a COC document does not mean there is any evidence of the underlying evidence in the forensic image files being changed or altered. If a client is shipping me an original hard drive or phone to image, I will email them a chain of custody document, instruct them on how to fill it out, and have them include the COC document with the evidence they are shipping me.
So, in the very rare instance of FedEx or UPS loosing the package, my client would be protected because they would have a written record of transferring control of the evidence to FedEx or UPS.
2Q "I know that most of you guys are with LE or one in a previous life, but I'm still struggling to see how a CoC helps in a corporate environment. We don't have a "checkout" station per se meaning that once I receive the equipment from someone, I can have them sign a CoC, but I'm the last person that has it to do the acquisition and analysis. When I hand the equipment back to the original person that gave it to me, I'm also handing them the CoC. I'm now trusting them to also follow suit in that if they hand it off to someone, they'll have it properly filled out - but that won't happen most times."
2A See above example of how having a COC document can protect you if FedEx/UPS looses the evidence while it is under their control. In your situation, I would definitely keep copies of all COC documents so that you can definitively state, for example, "Based upon this COC document, I no longer have control of the evidence that went missing."
3Q "How do the courts in civil suits view CoC? I read an interesting article today that made it sound like CoC in e-discovery cases can also be considered the report that describes how you acquired the image, who had access to the image, etc. Is that the case (no pun intended)? Also, I would assume it would be the same in corporate incident response in that if the documented actions are considered your CoC, maybe they do the same for e-discovery?"
3A. Definitely best practice to record makes/models/serial numbers/tools used. A written record trumps an oral record in most cases. COC documents who had control over the evidence at specific dates and times, so you would have to consider what under what possible circumstances your forensic process might be challenged if at all.
4Q "So, here's another question (I have a lot of unknowns for the documentation piece) If I'm handing over a portable drive that has an image on it, do I have the person that I'm handing it to sign a CoC for that since it's not best evidence? I've read two schools of thought in that a third-party, be it opposing counsel or LE, may take your form and use it for documentation that you had a CoC, and/or they won't sign it because you're not handing over real equipment but only an image. Any thoughts on that?"
4A Please consider always sending forensic image files as TrueCrypt (or BestCrypt) containers and then send the recipient the TrueCrypt container password in a separate email. This way, even if FedEx/UPS/recipient loses the forensic image files, you will not need to report the loss of evidence should it have contained PCI/HIPAA type information (because it was encrypted and inaccessible to any party that might find the lost evidence). This encryption step is far more important than COC documentation, in my opinion.
5Q "And if CoC is important to be with images, equipment, etc., what happens if I'm trusting the person at the location to complete one, and they simply forget to do it? Can you go back and fill one out, or do you simply forget it? I would think you could go back and fill it out with the date and approximate handoff time, but I'm not sure if that comes out in court or if that would be challenged"
5A Your COC document will protect you to some extent, if subsequent recipients of the evidence loose the evidence (because you will have documentation showing the now lost evidence was no longer under your control when it was lost). However, as I mentioned above, wrapping the evidence files in a password protected TrueCrypt container is far more important from a workflow standpoint. If a password protected TrueCrypt container is lost after it leaves your control, you will be able to make a new copy to send to the recipient secure in the knowledge the lost copy is inaccessible to whomever finds it.
If you find any of this information helpful, please consider me and my company as resource to you for services.
Regards,
Larry
Thank you again Larry!
So have you ever had a client ship you a drive with an image, or even equipment that you were supposed to image, without a CoC? Did you email them the CoC at that point and ask them to fill it out before you started anything?
As always I may well be wrong, but there is IMHO a difference between an actual piece of evidence and a copy of it (the image).
I mean, let's take into exam a few hypothetical "remote" scenarios.
Base assumptions
You are the forensic expert.
On the remote site there is a John Doe (which you do not know personally, that you have not had previously worked with, that has no previous digital forensic experience, etc.).
Case #1
You instruct the John Doe to take PC #23, disconnect it from mains, network, etc., pack it into a box and send it to you via FedEx.
Case #2
You instruct the John Doe to take PC #23, disassemble from it the hard disk, pack it into a box and send it to you via FedEx.
Case #3
You send it to John Doe via FedEx a bootable disk, instruct him to boot pc #23 from it, then you do the acquisition through a remote connection, saving it to the bootable disk and I presume you have a hash (actually two if you used Encase, SHA1 and MD5.
Then you instruct the John Doe to take the disk, disconnect it from mains, PC, etc., pack it into a box and send it to you via FedEx.
In case #1 the package can be intercepted and the PC #23 can be replaced but there are low probabilities that the set of instructions can be misunderstood.
In case #2 the package can be intercepted and the hard disk originally belonging to PC #23 can be replaced and there are some probabilities that the act of removing it from the PC damaged it.
In case #3 there is the added possibility (paranoia) that someone intercepts the package containing the disk you sent to John Doe and replaces it with (say) a hacked one with a firmware that filters all .jpeg's and trashes them into unreadable files 😯 , then the rest is OK, because it's you that are actually doing the acquisition and you already have the hashes for the image as soon as the imaging process is completed, so there is no way (again if we are not going again into paranoia) that John Doe or the (good) FedEx guys messed with the hard disk that is sent back to you without you finding this out.
jaclaz
Jaclaz,
In your examples, how do you handle CoC? Let's say this person doesn't send you the form. Do you have them fill it out when you realize that you don't have it in the box and he didn't email it to you? Would you walk him over the phone days later, or is there a certain time window that the CoC needs to be completed for it to be valid?
Thanks!
Jaclaz,
In your examples, how do you handle CoC? Let's say this person doesn't send you the form. Do you have them fill it out when you realize that you don't have it in the box and he didn't email it to you? Would you walk him over the phone days later, or is there a certain time window that the CoC needs to be completed for it to be valid?
Thanks!
The point I was trying to make is that in case #3 (which is your case if I got it right) there is IMHO no real *need* of a CoC, as since what is delivered to you via FedEx is something that you made yourself and that you have means to verify for authenticity/lack of changes yourself.
More or less, if the delivered image on disk verifies authenticity, the ONLY thing that can have happened (and that should NOT normally happen on a local chain of custody) is an unauthorized duplication (by John Doe or by the evil wink FedEx guys).
Imagine that you actually physically travel to the remote site (abroad), you do the acquisition and on your way back for some stupid reason (Custom Laws) you are not allowed to physically cross the border of the foreign country you are in holding the hard disk in your hands, but you have to give it to a custom officer that brings it in a separate room to (say) x-ray it, do you believe that you can convince (in local language) a custom officer of (say) Whateveristan to sign your CoC? ?
But as I see it there are no problems, as you have the hashes of the image jolted down on a post it and already self-emailed them to your office, when you are back home you verify them and everything is fine.
In case #1 and #2 I would be very worried by (much more than the CoC and well before it)
- John Doe's (missing) qualification(s)
- John Doe's (unknown/unspecified) power of attorney or authorizations to actually act on behalf of the local company or on your behalf
- John Doe's (missing) affidavit stating that he actually got to PC #23, that he actually sent to you that disk (and not another one) etc., etc.
- John Doe's (missing) proof of identity, etc., etc.
I.e. all the things that are implicit in a "local" chain of custody, the evidence is given (and the form signed by) to known, qualified, responsible, authorized people that you know (and that if needed can be called as witness in court).
jaclaz
J,
Please see my responses below
1Q So have you ever had a client ship you a drive with an image, or even equipment that you were supposed to image, without a CoC?
1A Yes I have. Even when I send the client my COC document upfront with an easy to understand explanation of how to fill it out, on occasion, (to Jaclaz' point), the client will either not fill out the COC document correctly, or just not send it.
2Q "Did you email them the CoC at that point and ask them to fill it out before you started anything?"
No, I will not refuse to begin working on the project if they do not sign and return to me the COC document. I am able to document to a court accepted level everything that transpires with the evidence while it is under my control (via acquisition logs, hash values, and the results of my analysis). My forensic analysis work must 100% be repeatable by a qualified peer (if peer A analyzed the same hard drive using the same tools, their results would be the same as mine).
Even without a COC document from the client, in every instance, I have email records of discussing with the client where to ship the evidence, what will be on the evidence, I send my clients prepaid FedEx labels so that I can cost recover for shipping and track the shipments, thus resulting in emails from FedEx about the evidence being shipped and picked up by me on specific dates and times. This is a very detailed documentation of the entire evidence transfer process (from the client to me). FedEx probably has the client and me on video tape entering their facilities, but I do not ask for copies of their video.
COC, in my opinion, documents who had control of the evidence at what specific dates and times.
When I have received original evidence without COC documentation, my forensic process does not change, meaning I document what occurs to the evidence while it is under my control, most importantly through the forensic acquisition logs / hash values.
I cannot emphasize enough the point that (at least in civil litigation matters - I cannot speak to criminal matters), the underlying issues in the case (construction delay claims versus theft of trade secrets matters), and the agreed order(s) that attorneys on the matter execute (is self collection, logical collection or physical imaging acceptable) must inform your work.
You should follow your own documented, repeatable forensic best practice in every case you work on, and it is our responsibility as forensic professionals to advise attorneys upfront the differences between self/logical/physical collection, but the fact that your client did not send you a chain of custody document when evidence was shipped to you, will not change the results of your forensic imaging and analysis.
If you take a hard stance that the client sign a COC document before you begin work, thus spurring the attorneys to become involved, what will happen if the attorneys look at you and say, "what specific problem exists that the missing first leg of COC presents to us?" "Did your imaging and analysis show that the original evidence appears tampered with before it came under your control?" "How do the specific problems you are attaching to the lack of the first leg of COC documentation (client shipping evidence to you) relate to this case which ultimately will hinge on a judge's determination regarding whether or not insurance coverage applies, based on an insurance industry expert's opinion about the interpretation of a single clause within a single contract located within an email attachment within a PST file in the My Document's folder"? "Did you find any evidence that the metadata values of the original hard drive / PST file / email / attached PDF contract were tampered with?"
Are you in a position to ask your attorney client's for a copy of the latest complaint for each matter you work on? Complaints are public record (see
The complaint will be your best guide to understanding the underlying issues in the case and will enable you to say to the attorneys, "because this case involves allegations of misconduct", an independent third party forensic collection expert is called for as I am an employee of the defendant and thus cannot claim independence."